b'DOE F 1325.8\n(08-93)\n\nUnited States Government                                                           Department of Energy\n\n\nMemorandum\n        DATE:    March 8, 2011                                         Audit Report Number: OAS-L-11-03\n    REPLY TO\n    ATTN OF:     IG-32 (A10LV007)\n     SUBJECT:    Report on "Audit of National Security Technologies, LLC Internal Audit Function"\n           TO:   Manager, Nevada Site Office\n\n                 INTRODUCTION AND OBJECTIVE\n\n                 National Security Technologies, LLC (NSTec), has managed and operated the Nevada\n                 National Security Site since July 1, 2006, for the National Nuclear Security\n                 Administration\'s (NNSA) Nevada Site Office. NSTec is a joint venture between\n                 Northrop Grumman Corporation (Northrop Grumman), AECOM, CH2M Hill, and\n                 Nuclear Fuel Services. The contract requires NSTec to establish and maintain an\n                 independent internal audit function and to develop an Internal Audit Implementation\n                 Design that describes the audit organization, lines of reporting, oversight responsibilities,\n                 and auditing standards to be followed.\n\n                 To help ensure that only allowable costs are claimed by Department of Energy\'s\n                 (Department) management and operating contractors, the Office of Inspector General, the\n                 Department\'s Office of Procurement and Assistance Management, and contractors\n                 implemented a Cooperative Audit Strategy. This strategy relies on the contractors\'\n                 internal audit function to provide audit coverage of the allowability of incurred costs\n                 claimed by contractors. It requires that contractors structure their organizations so that\n                 the internal audit manager reports functionally to the Board of Directors (Board), audit\n                 committee or equivalent corporate independent governing body. The strategy\'s success\n                 depends on the organizational placement of the internal audit department and the internal\n                 audit function\'s adherence to the audit standards established by the International\n                 Standards for the Professional Practice of Internal Auditing (Standards) as promulgated\n                 by the Institute of Internal Auditors (IIA).\n\n                 Because the role of contractor internal audit departments is critical to the success of the\n                 Cooperative Audit Strategy, we performed this audit to determine whether audits\n                 conducted by the NSTec Internal Audit Department (Internal Audit) during Fiscal Years\n                 (FY) 2008 and 2009 met both quality and professional auditing standards.\n\n                 CONCLUSIONS AND OBSERVATIONS\n\n                 Although we found that NSTec Internal Audit generally met IIA Standards for the seven\n                 audits we reviewed, we identified a number of exceptions in one audit that resulted in that\n                 audit not meeting quality and professional standards. Specifically, we identified\n\x0cinstances in which Internal Audit had not ensured that relevant audit work supported\naudit conclusions and results. Further, although Standards require that the Internal Audit\nManager communicate directly with the Board, NSTec\'s Internal Audit Manager did not\nhave direct contact with the Board. We also found that, during FYs 2008 and 2009, the\nAudit Committee Chairman (Chairman) was not independent of company management\nsince he was also NSTec\'s Treasurer responsible for management of the company\'s bank\naccounts. The Audit Committee Handbook, as referenced by the IIA, states that audit\ncommittee members consist of outside members or independent directors.\n\nInternal Audit had not always met IIA Standards, in part, because it lacked a quality\nassurance and improvement program. Specifically, a 2009 NSTec Internal Audit Peer\nReview found that Internal Audit had not conformed to the IIA Standard for a quality\nassurance and improvement program because it had not established a formal process to\nmonitor and periodically assess the overall effectiveness of the audit quality. In response\nto Peer Review findings, Internal Audit began monitoring ongoing performance, and in\nthe first quarter of FY 2010, began performing self-assessments.\n\nOn the matter of organizational placement, we were told by the Internal Audit Manager\nthat he was not invited to Board meetings because he reports to the Audit Committee.\nFinally, we noted that, in May 2010, NSTec appointed a new Chairman who was not\ninvolved in the day-to-day management of the company.\n\nThe audit quality exceptions that we identified were isolated and NSTec officials told us\nthat they have acted to improve both the quality and independence of its internal audit\norganization since the time the audit in question was completed. To ensure these actions\nare completely implemented, we make several suggestions to address the issues identified\nin this report.\n\n                                      Audit Support\n\nContrary to the Standards\' requirement that relevant audit work support conclusions and\nresults, we found that changes made in the re-issuance of a 2008 Internal Audit report\nwere not fully supported. Specifically, Internal Audit issued a report entitled Livermore\nOperations Charging Practices, in December 2007, that identified (1) approximately\n$103,000 in charges to an inappropriate project account, and, (2) an unsupported\naccounting adjustment of $35,000. The workpapers supporting the audit indicated that\nNSTec\'s Livermore Operations Division had performed work on a cost reimbursement\nbasis for Livermore National Laboratory and had overcharged the project account by\n$103,000. Internal Audit also reported that it was unable to verify the accuracy of a\n$35,000 accounting adjustment to reallocate other mischarges (self-identified by\nmanagement) to Livermore projects. Subsequently, Internal Audit re-issued the report in\nApril 2008 but did not fully include either of the above issues. Our review showed that,\nalthough its workpapers provided support for the original issues, Internal Audit\'s\nworkpapers did not explain the reason for not fully disclosing these issues in the re-issued\nreport.\n\n\n\n\n                                     2\n\x0cSpecifically, we found that the report was re-issued after the Audit Committee Chairman\nhad auditors from Northrop Grumman\'s parent company review the internal auditors\'\nwork. The Chairman requested the assistance of the Northrop Grumman auditors\nbecause the original report had been issued without management\'s comments. Based on\nthe Northrop Grumman review, NSTec Internal Audit re-issued the report that identified\napproximately $89,000 of the $103,000 originally reported and did not discuss the\n$35,000 accounting adjustment. According to Internal Audit, the Northrop Grumman\nauditor assisted in preparing the re-issued report, but it was signed by the then Internal\nAudit Manager and the Audit Committee Chairman.\n\nOur review found that the Internal Audit workpapers did not provide a rationale for the\nreduction in mischarges or support the revised total of mischarges, and did not contain\nadditional support for the $35,000 accounting adjustment. Regarding changes in the re-\nissued report, the Northrop Grumman auditor that prepared the re-issued report:\n\n    \xe2\x80\xa2   Explained that NSTec Internal Audit did not have access to the entire history of\n        events that led to the reduction in the identified mischarge amount. The\n        Northrop Grumman auditor also stated that management\'s review supported the\n        lower amount of $89,000. However, the auditor acknowledged there was no\n        support for the revised amount in the workpapers or a reconciliation to support\n        the $14,000 reduction in reported mischarges; and,\n\n    \xe2\x80\xa2   Did not recall why the $35,000 accounting adjustment issue was not included in\n        the revised report. Based on our review of the workpapers, we concluded that\n        the Northrop Grumman auditor had not developed support for eliminating the\n        observation from the re-issued report.\n\nWe also determined that when Internal Audit originally reported on the matter it had not\ncorrectly calculated the $35,000 in mischarges identified in the initial report.\nSpecifically, Internal Audit had not added the overhead costs to the mischarged $35,000\nidentified by management. We were unable to determine the amount of overhead costs\nthat should have been added to the mischarged costs. The Department\'s Accounting\nHandbook, Chapter 15, Cost Accounting, requires that the proper allocation of overhead\ncosts be included when determining a product\'s costs.\n\nFinally, while Internal Audit issued the initial report stating that it complied with audit\nstandards, the revised report did not cite compliance with any audit standards. We were\nunable to ascertain why the report did not cite any standards. The Department\'s\nCooperative Audit Strategy requires that audits meet, at a minimum, the Standards.\n\n                              Communication Requirements\n\nAlthough not associated with the prior reporting problems, we found that the current\nInternal Audit Manager is not invited to and does not attend or participate in senior\nmanagement or NSTec\'s Board of Managers (NSTec\'s equivalent to a Board of Directors)\nmeetings. IIA Standards require that the Internal Audit Manager communicate and\n\n\n                                      3\n\x0cinteract directly with the Board. According to the Cooperative Audit Strategy, direct\ncommunication occurs, in part, when the Internal Audit Manager regularly attends and\nparticipates in meetings. The Internal Audit Manager further stated that he has not\nrequested to attend the senior management meetings because his position is not\nconsidered senior staff. Although the Internal Audit Manager told us that he is briefed by\nNSTec\'s Chief Operating Officer on the senior management meetings and has access to\nthe minutes and presentations of meetings, we concluded that the Internal Audit\nManager\'s inability to attend senior management meetings limits his opportunity to be\napprised of strategic business and operational developments, and to raise high-level risks\nor control issues at an early stage.\n\n                                       Independence\n\nAccording to The Audit Committee Handbook, as referenced by the IIA, audit committee\nmembers should consist of outside or independent directors. We reference the handbook\nas a best practice to help engender a high degree of integrity in the overall audit process.\nHowever, during FYs 2008 and 2009, we identified an independence issue with the\nChairman, who was also NSTec\'s Treasurer during that time. As Treasurer, the\nChairman maintained primary signatory authority and overall responsibility for all of\nNSTec\'s bank accounts. Accordingly, we did not consider the Audit Committee\nChairman an outside or independent director because he was directly involved in\nmanaging the corporation. While we did not consider the Chairman independent, we are\nnot aware of any improper transactions the Chairman made while serving as NSTec\'s\nTreasurer. In May 2010, a new Chairman was appointed who was not involved in any\nday-to-day NSTec operations.\n\n                                    Quality Assurance\n\nInternal Audit had not always met the IIA quality standard, in part, because it lacked a\nquality assurance and improvement program. IIA Standards require that NSTec Internal\nAudit have a quality assurance and improvement program. We noted that an independent\n2009 NSTec Internal Audit Peer Review, covering FYs 2004 through 2008, found that\nInternal Audit had not conformed to the Standard for a quality assurance and\nimprovement program. The peer review team reported that NSTec had not established a\nformal process to monitor and periodically assess the overall effectiveness of the audit\nquality. For example, Internal Audit had not established a formal process to monitor\nongoing performance of the internal audit activity, and had not performed periodic\nreviews through self-assessments. The Internal Audit Manager stated that his\npredecessors believed that sending out client surveys after each audit was sufficient to\nconstitute a quality assurance program. As a result of the peer review, Internal Audit\ninstituted a quality assurance and improvement program. In June 2009, Internal Audit\nbegan monitoring ongoing performance, and in the first quarter of FY 2010 began\nperforming self-assessments.\n\n\n\n\n                                      4\n\x0c                                    Suggested Actions\n\nWe noted that the NNSA Service Center\'s Office of Field Financial Management\n(OFFM) recently issued a report in September 2010 on NSTec\'s Internal Audit Function.\nThe objective of the review was to determine whether NSTec Internal Audit met both\nquality and professional auditing standards. OFFM reviewed four audits that were not\nincluded in our review. OFFM identified no significant weaknesses and concluded that\nInternal Audit met both quality and professional auditing standards.\n\nGiven that our findings appear to relate to isolated exceptions, the recently completed\nNNSA review confirmed that internal audits met auditing standards, and actions were\ntaken by NSTec to improve internal audit quality, we are not making any formal\nrecommendations. However, we suggest that the Nevada Site Office Manager:\n\n   \xe2\x80\xa2   Determine whether the $35,000 in mischarges identified in the original NSTec\n       Livermore Operations Charging Practices report were appropriately managed;\n       and,\n\n   \xe2\x80\xa2   Ensure that the NSTec Internal Audit Manager has sufficient interaction and\n       participation with senior management and the Board of Managers to carry out his\n       responsibilities.\n\nSince no recommendations are being made in this report, a formal response is not\nrequired. We appreciate the cooperation of your staff during the audit.\n\n\n\n\n                                      David Sedillo, Director\n                                      NNSA and Science Audits Division\n                                      Office of Inspector General\n\nAttachment\n\ncc: Director, Office of Internal Controls, NA-66\n    Assistant Director, Office of Risk Management, CF-80\n    Team Leader, Office of Risk Management, CF-80\n    Audit Resolution Specialist, Office of Risk Management, CF-80\n    Director, Office of Field Financial Management, NZ\n    Audit Liaison, Nevada Site Office\n\n\n\n\n                                     5\n\x0c                                                                                      Attachment\n\n\nSCOPE AND METHODOLOGY\n\nWe performed the audit between October 2009 and March 2010, and between September 2010\nand February 2011. We conducted our work at the Nevada Site Office and National Security\nTechnologies, LLC (NSTec) offices in Las Vegas, Nevada.\n\nTo accomplish the audit objective, we reviewed Department of Energy (Department) guidance\nand requirements for contractor internal audit functions as well as applicable standards for the\nprofessional practice of internal auditing. We interviewed key personnel at the Department,\nNSTec, and Northrop Grumman Corporation; reviewed 7 of 39 NSTec Internal Audit reports, the\nassociated workpapers, and supporting documentation; and, obtained information from selected\nDepartment contractor\'s internal audit departments regarding their participation in senior\nmanagement and board level meetings.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives. Because our review was limited,\nit would not necessarily have disclosed all internal control deficiencies that may have existed at\nthe time of our audit. We also assessed performance measures in accordance with the\nGovernment Performance and Results Act of 1993 and found that the Department had\nestablished performance measures related to internal audit activities. We did not rely on\ncomputer-processed data to satisfy our audit objective.\n\nManagement waived an exit conference.\n\n\n\n\n                                                6\n\x0c                                                                    IG Report No. OAS-L-11-03\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Felicia Jones at (202) 253-2162.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Energy Office of Inspector General Home Page\n                                       http://www.ig.energy.gov\n\n      Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'